Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 12:33
Static task
static1
Behavioral task
behavioral1
Sample
Shipment Receipt.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Shipment Receipt.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Regretable/Prferencetolden/Alluder152/Brinie29.ps1
Resource
win10v2004-20240226-en
General
-
Target
Shipment Receipt.exe
-
Size
526KB
-
MD5
63431a90363414f88d575f70f27762ce
-
SHA1
fd0268e6b54a60f2c04a577b1f0001a4176138c8
-
SHA256
865306d0b13516f7f33fbd707d0d92c8706e4bfb1a99153c1361559f710bd45e
-
SHA512
b51c3f6041c40a3a662d98cc2dc925629a86f927d08a71e76309c10694d45cec0ba498f4bb34fb6f48759618ec6edd9c365dcc2b091e15729d75f5b051667901
-
SSDEEP
12288:oS2dnErpbwb05qldvfvcf7Ac4kj3WdmrJheUuuUjvQ9B:L2dE1b405qldncMc4kjWSJUuUjvy
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\chaptaliseringer\habsburgernes.rei Shipment Receipt.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1356 powershell.exe 2376 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1356 set thread context of 2376 1356 powershell.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe 1356 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1356 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1356 2876 Shipment Receipt.exe 28 PID 2876 wrote to memory of 1356 2876 Shipment Receipt.exe 28 PID 2876 wrote to memory of 1356 2876 Shipment Receipt.exe 28 PID 2876 wrote to memory of 1356 2876 Shipment Receipt.exe 28 PID 1356 wrote to memory of 2656 1356 powershell.exe 30 PID 1356 wrote to memory of 2656 1356 powershell.exe 30 PID 1356 wrote to memory of 2656 1356 powershell.exe 30 PID 1356 wrote to memory of 2656 1356 powershell.exe 30 PID 1356 wrote to memory of 2376 1356 powershell.exe 32 PID 1356 wrote to memory of 2376 1356 powershell.exe 32 PID 1356 wrote to memory of 2376 1356 powershell.exe 32 PID 1356 wrote to memory of 2376 1356 powershell.exe 32 PID 1356 wrote to memory of 2376 1356 powershell.exe 32 PID 1356 wrote to memory of 2376 1356 powershell.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"C:\Users\Admin\AppData\Local\Temp\Shipment Receipt.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Amningsmrkerne=Get-Content 'C:\Users\Admin\AppData\Local\mafficks\Regretable\Prferencetolden\Alluder152\Brinie29.Ban';$Hieromachy=$Amningsmrkerne.SubString(58610,3);.$Hieromachy($Amningsmrkerne)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:2656
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2376
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
336KB
MD57887bc8c00f4047fac6240ae2b268401
SHA117f09ef15224297fa2a3f86b71f00860c3c6ae7d
SHA25619e4e4dea076a8755f146fa6a539953e0c4ccb2af451759b370e9be88903d5c1
SHA51236618f70d27054150e91f1ab2f0cf0de329722ebdddddf7bbb3f5d48a4d0a3f81716ca4c93e339e432267e67a9db729f87d426d34c47b1a480181ec01190575f
-
Filesize
57KB
MD5606f3c0d77738574d051cf2f7140aafd
SHA1becf7fe1fe0af569c52c94abadc970cca66ec0a6
SHA2565bb0a1909d79ecf1060382416cd6df278b2be9af709e3b072ca983d62f9b4861
SHA5128bcd585c03b3e8a145a17da6c00e3423d6f0e00f8ca3c34959c49867f651371dd993478ef81e098a1cd8c8d9890c7d1c62ae0488f095b39d4f96278664b340e8